ArcSight Ideas - TEMPORARILY CLOSED
cancel

Feature Request: Automatic Case Delete

Hi all,

We are using external system to manage security incidents that registered at ESM by Rule firings.

As one of rule actions we set up case creation. Then with Case Search Group feature we export cases to external system, and do no more operations with cases at ESM side. So in that situation we have a lot of opened Cases in ESM resources.

Now we have to delete cases from console manualy. It uncomfortable to delet a lot of cases whent it more than 1000.

It will be nice to have ability to set Case TTL when case creating with rule action or something else to automate case deleting process.

Thanks,

Sergei

4 Comments
Absent Member.

Hello, Sergey!

As it is not currently available in ESM itself, you can use this query to delete old cases:

select count(*) from arc_resource  where resource_type = 7 and created < 'yyyy-mm-dd hh:mm:ss';


and then:

delete from arc_resource  where resource_type = 7 and created < 'yyyy-mm-dd hh:mm:ss';

commit;



Please test (make a select) before deleting.

Absent Member.

Hello, Nikolay!

Thanks for solution!

But it will be more attractive to not work with ArcSight database directly.

Absent Member.

Sure, but this could be a temporary solution for you unless developers make it possible in ESM.

Absent Member.

Оf course! We'll use it as temporary workaround! Thanks!